Difference between revisions of "API"

From BC$ MobileTV Wiki
Jump to: navigation, search
(API Security Testing)
 
(180 intermediate revisions by 10 users not shown)
Line 1: Line 1:
An '''Application Programming Interface''' (or commonly abbreviated as ''API''), is a mechanism for exposing the core functionality of an application (such as a client or desktop program, web site or web service) to an external application (of any of the previously mentioned types).  
+
An '''A'''pplication '''P'''rogramming '''I'''nterface (or commonly abbreviated as ''API''), is a mechanism for exposing the core functionality of an application (such as a client or desktop program, web site or web service) to an external application (of any of the previously mentioned types).  
  
 
Since the days of [[Web 2.0]], an API is seen as a crucial element to any Web Application or Web Service. In general though, APIs are crucial parts of an application design and implementation strategy. They ensure the involvement of third-parties and outside developers in the products and services you create, and they can also help to breed innovation.
 
Since the days of [[Web 2.0]], an API is seen as a crucial element to any Web Application or Web Service. In general though, APIs are crucial parts of an application design and implementation strategy. They ensure the involvement of third-parties and outside developers in the products and services you create, and they can also help to breed innovation.
  
 +
{|align="left"
 +
| __TOC__
 +
|}
  
 +
{{#widget:SlideShare
 +
|doc=johnmusserglueconmay2011-110525110226-phpapp02
 +
|width=350
 +
|height=275
 +
}}
 +
{{#widget:SlideShare
 +
|doc=preso-1208985232644502-9
 +
|width=350
 +
|height=275
 +
}}
 +
{{#widget:SlideShare
 +
|doc=jmusserosconapis2012-120719031827-phpapp01
 +
|width=350
 +
|height=275
 +
}}
  
  
== JavaScript APIs ==
+
== Specifications ==
  
JavaScript APIs require only a standard <code><script></code> tag to be added to a webpage in order to expose their functionality. For example:
+
=== OpenAPI ===
<code>
+
[[File:Swagger-to-OpenAPI.png|Swagger (OpenAPIv2) to OpenAPIv3|450px|right]]
''<script type="text/javascript" src="http://www.somesite.com/somejavascript.js"></script>''
+
</code>
+
would expose the functionalities of the ''somejavascript API'' that belongs to ''somesite.com''
+
  
 +
OpenAPI is an [[OSS]] specification and associated [[OSS]] (with commercial/enterprise-grade supported options) set of tools for Designing, Documenting, Sharing, Inspecting/Analyzing, Stubbing/Mocking, Validating, Comparing and/or Serving API endpoints and their associated Auth mechanisms, Headers, request/response pair examples, actual payloads, error messsages/conditions around, etc. It is seen as the cross-platform (SOAP, REST, REST-JSON/XML, XML-RPC, etc) [[Web Service]] documentation alternative to the more protocol-specific [[WSDL]] ([[SOAP]]) & [[WADL]] ([[REST]]) specifications.
 +
 +
For more, see: [[OpenAPI]]
 +
 +
* OpenAPI: https://github.com/OAI/OpenAPI-Specification | [https://github.com/OAI/OpenAPI-Specification/blob/OpenAPI.next/versions/3.0.0.md v3.0]<ref>What is OpenAPI?: https://swagger.io/docs/specification/about/</ref>
 +
* '''OpenAPI v3.0 spec: https://www.openhttp://theapistack.com/jsonapis.org/specification/v3insights'''
 +
<ref>'''The OpenAPI Specification Version 3.0 Highlights: https://apievangelist.com/2017/01/25/the-openapi-specification-version-30-highlights/'''</ref>
 +
<ref>Open API Initiative Announces Release of the OpenAPI Spec v3 Implementer’s Draft: https://www.openapis.org/blog/2017/03/01/openapi-spec-3-implementers-draft-released</ref>
 +
<ref>OpenAPI 3.0, And What It Means for the Future of Swagger (WEBINAR): https://swaggerhub.com/blog/api-resources/openapi-3-0-video-tutorial/ | [https://www.slideshare.net/SmartBear_Software/openapi-30-and-what-it-means-for-the-future-of-swagger SLIDES]</ref>
 +
<ref>A Visual Guide to What's New in Swagger 3.0: https://blog.readme.io/an-example-filled-guide-to-swagger-3-2/</ref>
 +
<ref>Comparing OpenAPI/Swagger 2.0 and 3.0.0-rc1: https://dev.to/mikeralphson/comparing-openapiswagger-20-and-300-rc1</ref>
 +
<ref>What’s New in OpenAPI 3.0: http://nordicapis.com/whats-new-in-openapi-3-0/</ref>
 +
<ref>Looking to Create OpenAPI 3.0 For Your API? Swagger Inspector Has Your Back: https://swagger.io/blog/convert-oas-3-swagger-inspector/#sendgrid_mc_email_subscribe</ref>
 +
<ref>Migrating to OpenAPI 3.0 -- How to Convert Your Existing APIs with Swagger Tools: https://swagger.io/resources/webinars/convert-api-to-oas-3-with-swagger-tools/</ref>
 +
<ref>Tutorial - Converting your Swagger 2.0 API Definition to OpenAPI 3.0: https://blog.runscope.com/posts/tutorial-upgrading-swagger-2-api-definition-to-openapi-3</ref>
 +
<ref>Collaborating Across the API Lifecycle -- How to Setup an API Workflow that Scales: https://swagger.io/resources/webinars/collaborating-across-the-api-lifecycle/</ref>
 +
<ref>How about OpenAPI descriptions and Swagger UI in your Java REST API?: https://tryingthings.wordpress.com/2020/05/20/how-about-openapi-descriptions-and-swagger-ui-in-your-java-rest-api/</ref>
 +
 +
 +
=== AsyncAPI ===
 +
 +
Event Driven Architecture (EDA) focused API specification format that supports special documentation for push, WebHooks, messaging, long-polling, etc...
 +
 +
* AsyncAPI: https://www.asyncapi.com/
 +
* AsyncAPI – Documentation of event- and message-driven architectures: https://blog.codecentric.de/en/2021/09/asyncapi-documentation-event-message-driven-architectures/
 +
 +
 +
=== APIs.json ===
 +
 +
'''APIs.json''' is a machine readable approach that API providers can use to describe their [[API]] operations, similar to how web sites are described using the [[Sitemap]].xml spec but for listing/discovery of Web Services and their operations.
 +
 +
* '''APIs.json: http://apisjson.org/'''
 +
* The API Stack: http://theapistack.com/ (directory listing of APIs.JSON-documented web APIs)
 +
<ref>API Discovery Is for Internal or External Services: https://dzone.com/articles/api-discovery-is-for-internal-or-external-services</ref>
 +
 +
 +
=== RAML ===
 +
 +
Rest API Markup Language (RAML) is Mulesoft's alternative to Swagger/OpenAPI.
 +
 +
* RAML: https://raml.org<ref>[[wikipedia: RAML (software)]]</ref>
 +
* RAML spec: https://github.com/raml-org/raml-spec
 +
 +
 +
=== WADL ===
 +
 +
'''W'''eb '''A'''pplication '''D'''escription '''L'''anguage (''WADL'').
 +
 +
For more, see: [[WADL]]
 +
 +
* W3C -- WADL spec: https://www.w3.org/Submission/wadl/
 +
 +
 +
 +
== Types of APIs ==
 +
 +
=== Native/Library ===
 +
 +
A Native or Library API is typically an operating system-specific or programming language-specific one which provides access to certain data, methods/functionality, or commonly required utilities.
 +
 +
* [[wikipedia: Application programming interface]]
 +
 +
=== Web Services ===
 +
 +
Web Services are remotely callable functionality residing in another application.
 +
 +
==== XML-RPC ====
 +
 +
XML-RPC was one of the first examples of a Web Service format for remotely exchanging data, specifying the format as a strict set of XML "methods" and.
 +
<table>
 +
<tr><th>Request</th><th>Response</th></tr>
 +
<tr>
 +
<td>
 +
  &lt;?xml version="1.0" encoding="utf-8"?>
 +
  &lt;methodCall>
 +
    &lt;methodName>myService.sum&lt;/methodName>
 +
    &lt;params>
 +
        &lt;param>
 +
          &lt;value>&lt;int>17&lt;/int>&lt;/value>
 +
        &lt;/param>
 +
        &lt;param>
 +
          &lt;value>&lt;int>13&lt;/int>&lt;/value>
 +
        &lt;/param>
 +
    &lt;/params>
 +
  &lt;/methodCall>
 +
</td>
 +
<td>
 +
  &lt;methodResponse>
 +
    &lt;params>
 +
        &lt;param>
 +
          &lt;value>&lt;int>30&lt;/int>&lt;/value>
 +
        &lt;/param>
 +
    &lt;/params>
 +
  &lt;/methodResponse>
 +
</td>
 +
</tr>
 +
</table>
 +
 +
 +
==== SOAP ====
 +
 +
[[SOAP]] is a contract-based (contract-first or contract-last, but contract nonetheless) approach to cross-application communication.
 +
 +
<table>
 +
<tr><th>Request</th><th>Response</th></tr>
 +
<tr>
 +
<td>
 +
GET http://www.mysite.com/myService?wsdl
 +
 +
--> Lookup required Web Service "operation"
 +
 +
POST http://www.mysite.com/getAddition
 +
 +
  &lt;?xml version="1.0" encoding="utf-8"A?>
 +
  &lt;soap:Envelope
 +
    xmlns:soap="http://www.w3.org/2003/05/soap-envelope/"
 +
    soap:encodingStyle="http://www.w3.org/2003/05/soap-encoding">
 +
    &lt;soap:Header>
 +
      &lt;To xmlns="http://www.w3.org/2005/08/addressing">http://www.mysite.com:8181/Math/&lt;/To>
 +
      &lt;Action xmlns="http://www.w3.org/2005/08/addressing">tns:getAdditon_Request&lt;/Action>
 +
      &lt;ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
 +
          &lt;Address>http://www.w3.org/2005/08/addressing/anonymous&lt;/Address>
 +
      &lt;/ReplyTo>
 +
    &lt;/soap:Header>
 +
    &lt;soap:Body>
 +
    &lt;Math:getAddition>
 +
      &lt;Math:number1>17&lt;/Math:number1>
 +
      &lt;Math:number2>13&lt;/Math:number2>
 +
    &lt;/Math:getAddition>
 +
    &lt;/soap:Body>
 +
  &lt;/soap:Envelope>
 +
</td>
 +
<td>
 +
  &lt;?xml version="1.0" encoding="utf-8"A?>
 +
  &lt;soap:Envelope
 +
    xmlns:soap="http://www.w3.org/2003/05/soap-envelope/"
 +
    soap:encodingStyle="http://www.w3.org/2003/05/soap-encoding">
 +
    &lt;soap:Header>
 +
        &lt;ResponseHeader xmlns="https://www.mysite.com/apis/Math/v2017-08-17">
 +
          &lt;requestId>123456789&lt;/requestId>
 +
          &lt;responseTime>1350&lt;/responseTime>
 +
        &lt;/ResponseHeader>
 +
    &lt;/soap:Header>
 +
    &lt;soap:Body>
 +
      &lt;Math:getAddition>
 +
        &lt;Math:value>30&lt;/Math:value>
 +
      &lt;/Math:getAddition>
 +
    &lt;/soap:Body>
 +
  &lt;/soap:Envelope>
 +
</td>
 +
</tr>
 +
</table>
 +
 +
* For more, see section: [[SOAP]]
 +
 +
==== REST ====
 +
 +
[[REST]] is a direct access-based approach to cross-application communication, where the [[API]]'s documentation is typically relied upon heavily to describe how to access it. When [[REST]] is done properly though, using a [[REST]]ful approach, the API becomes mostly self-documenting, instead relying on the Create-Read-Update-Delete (CRUD) to [[HTTP]] POST-GET-PUT-DELETE relationship to describe how to access the [[Web Service]] and interact with its data.
 +
 +
<table>
 +
<tr><th>Request</th><th>Response</th></tr>
 +
<tr>
 +
<td>GET http://www.mysite.com/myService?number=17&number2=13</td>
 +
<td>
 +
  {
 +
    "value" : "30"
 +
  }
 +
</td>
 +
</tr>
 +
</table>
 +
 +
Although, in reality a [[REST]] endpoint can be as complex or simplistic to call as you want, to be truly "RESTful" it should follow certain conventions. The simplistic example above  of passing two numbers as input parameters would likely be highly criticized by RESTful WS purist, perhaps to look more like this:
 +
 +
GET http://www.mysite.com/add/{input1}/{input2}
 +
 +
Others still may argue that since it is "changing a resource" (i.e. doing addition with the two inputs its given) it should be a POST request without any parameters or additional paths beyond and the inputs should be passed in the HTTP message body:
 +
 +
POST http://www.mysite.com/add
 +
BODY input1=17&amp;input2=13
 +
 +
There is no right or wrong answer, only opinion, as the REST approach is far less structured/defined and more open to interpretation.
 +
 +
* For more, see section: [[REST]]
 +
 +
 +
== API Design ==
 +
 +
=== 5 essentials for a great API ===
 +
 +
# Provide a valuable service
 +
# Have a plan and a business model
 +
# Make it simple and flexible
 +
# It should be managed and measured
 +
# Provide great developer support (Docs, API Console, Example Client Implementations/SDKs, Sandbox)<ref>Is the API Landscape Broken?: http://www.wired.com/insights/2013/01/is-the-api-landscape-broken/</ref>
 +
 +
=== API Keys & Security ===
 +
 +
* OWASP Application Security Verification Standard (ASVS): https://owasp.org/www-project-application-security-verification-standard/
 +
* OWASP Top 10 - API Security: https://owasp.org/www-project-api-security/ | [https://apisecurity.io/encyclopedia/content/owasp-api-security-top-10-cheat-sheet-us-letter.pdf POSTER]<ref>'''Demystifying the "OWASP API security top 10": https://media.bitpipe.com/io_15x/io_157878/item_2411117/cqnc-ebook-owasp.pdf'''</ref>
 +
* REST Security (CHEAT SHEET): https://www.owasp.org/index.php/REST_Security_Cheat_Sheet
 +
<ref>Predicting the Next OWASP API Security Top 10: https://threatpost.com/owasp-api-security-top-10/175961/</ref>
 +
<ref>The 2021 Guide to API Security -- What You Need to Know: https://appsecengineer.com/hackerman-hub/2021-guide-api-security-what-you-need-know</ref>
 +
<ref>The state of API Security 2022 - global research comparison: https://www.cybersprint.com/blog/the-state-of-api-security-global-research-comparison</ref>
 +
<ref>API Security - The Complete Guide: https://brightsec.com/blog/api-security/</ref>
 +
<ref>So, Like, What is an API Key Really? And How Does it Provide Security?: https://hackernoon.com/so-like-what-is-an-api-key-really-and-how-does-it-provide-security</ref>
 +
<ref>Ownership Of The API Security Lifecycle Attribution link: https://latesthackingnews.com/2022/05/27/ownership-of-the-api-security-lifecycle/ (HINT: if its "everybody's" responsibility, its really "no one's"... have a single or primary/secondary owner, and inform/empower everyone else in the organization to contribute)</ref>
 +
<ref>More Simple = Less API Attack Vectors: https://securityboulevard.com/2022/01/more-simple-less-api-attack-vectors/</ref>
 +
<ref>Positive API Security Model, and Why You Need It!: https://42crunch.com/webinar-positive-api-security-model/</ref>
 +
<ref>'''c'''ompletely '''r'''idiculous '''A'''pplication '''P'''rogramming '''I'''nterface (crAPI): https://github.com/owasp/crapi | [https://infosecwriteups.com/crapi-api-security-the-hacker-way-7f8402bb6e65 DOCS]</ref>
 +
<ref>Why does API Security Need Special Attention?: https://economictimes.indiatimes.com/why-does-api-security-need-special-attention/articleshow/92053756.cms</ref>
 +
<ref>Microsoft's Recommendations to mitigate ''OWASP API Security Top 10'' threats using API Management: https://docs.microsoft.com/en-us/azure/api-management/mitigate-owasp-api-threats</ref>
 +
<ref>API Security Checklist -- The Top 7 Requirements: https://www.indusface.com/blog/api-security-checklist-the-top-7-requirements/</ref>
 +
* '''API security design best practices for enterprise and public cloud: https://habr.com/en/post/595075/'''
 +
<ref>'''Awesome API Security: https://github.com/arainho/awesome-api-security'''</ref>
 +
<ref>Best practices for REST API security - Authentication and authorization: https://stackoverflow.blog/2021/10/06/best-practices-for-authentication-and-authorization-for-rest-apis/</ref>
 +
<ref>Collection of awesome API Security tools & resources: https://reconshell.com/api-security/</ref>
 +
<ref>API Sprawl a Looming Threat to Digital Economy: https://devops.com/api-sprawl-a-looming-threat-to-digital-economy/</ref>
 +
<ref>Benefits of Adopting Zero Trust for API Security: https://www.cm-alliance.com/cybersecurity-blog/benefits-of-adopting-zero-trust-for-api-security</ref>
 +
<ref>HTTP request smuggling: https://portswigger.net/web-security/request-smuggling</ref>
 +
<ref>Why API Keys are not enough: https://nordicapis.com/why-api-keys-are-not-enough/</ref>
 +
<ref>Best Practices for Storing / Protecting API Keys: https://developer.oregonstate.edu/faqs/best-practices-storing-protecting-api-keys</ref>
 +
<ref>Google Developers - API Key Best Practices: https://developers.google.com/maps/api-key-best-practices</ref>
 +
<ref>Google Developers - Guide to Using API Keys: https://cloud.google.com/docs/authentication/api-keys?hl=en&visit_id=636795263018130436-4272006704&rd=1</ref>
 +
<ref>Client-Side Storage options with HTML5: https://www.html5rocks.com/en/tutorials/offline/storage/</ref>
 +
<ref>Best Practices for Designing a Pragmatic RESTful API: https://www.vinaysahni.com/best-practices-for-a-pragmatic-restful-api</ref>
 +
<ref>Best practices for building secure API Keys: https://medium.freecodecamp.org/best-practices-for-building-api-keys-97c26eabfea9</ref>
 +
<ref>Best practices for securely storing API keys: https://medium.freecodecamp.org/how-to-securely-store-api-keys-4ff3ea19ebda</ref>
 +
<ref>Best practices for securely using API keys: https://support.google.com/googleapi/answer/6310037</ref>
 +
<ref>API Key Auth Provider (C#): http://docs.servicestack.net/api-key-authprovider#interoperable</ref>
 +
<ref>Reducing Risk of Credential Compromise @Netflix: https://www.infoq.com/presentations/netflix-infrastructure-security</ref>
 +
<ref>API Security -- Deep Dive into OAuth and OpenID Connect: https://nordicapis.com/api-security-oauth-openid-connect-depth/</ref>
 +
<ref>API Security -- The 4 Defenses of The API Stronghold: https://nordicapis.com/api-security-the-4-defenses-of-the-api-stronghold/</ref>
 +
<ref>Equipping Your API With The Right Armor: https://nordicapis.com/api-security-equipping-your-api-with-the-right-armor/</ref>
 +
<ref>Techniques and Technologies to Increase API Security: https://nordicapis.com/building-a-secure-api/</ref>
 +
<ref>Application Security Tools Are Not up to the Job of API Security: https://thenewstack.io/application-security-tools-are-not-up-to-the-job-of-api-security/</ref>
 +
<ref>A Case Study of API Vulnerabilities: https://monke.ie/api-vulns-casestudy/</ref>
 +
<ref>''Google Cloud'' sees storm brewing over API security: https://www.theregister.com/2022/04/26/google_cloud_api/</ref>
 +
<ref>The API Security Maturity Model: https://curity.io/resources/learn/the-api-security-maturity-model/</ref>
 +
<ref>API Key Management with API Portal and Spring Cloud Gateway for Kubernetesh: ttps://tanzu.vmware.com/content/blog/api-key-management-api-portal-spring-cloud-gateway-for-kubernetes</ref>
 +
<ref>Akamai -- APIs - The Attack Surface That Connects Us All (WHITEPAPER): https://www.akamai.com/resources/state-of-the-internet/soti-security-api-the-attack-surface-that-connects-us-all</ref>
 +
<ref>API Security in Action (BOOK): https://www.manning.com/books/api-security-in-action</ref>
 +
<ref>The Danger of API Security Overconfidence - Four Takeaways from Radware’s 2022 State of API Security Survey: https://securityboulevard.com/2022/06/the-danger-of-api-security-overconfidence-four-takeaways-from-radwares-2022-state-of-api-security-survey/</ref>
 +
<ref>One in every 13 incidents blamed on API insecurity – report: https://portswigger.net/daily-swig/one-in-every-13-incidents-blamed-on-api-insecurity-report</ref>
 +
<ref>Poor API security may cost orgs up to $75B per year: https://venturebeat.com/2022/06/22/vulnerable-apis-75bn/ | [https://www.imperva.com/resources/resource-library/reports/quantifying-the-cost-of-api-insecurity/ REPORT]</ref>
 +
 +
 +
==== API Security Testing ====
 +
 +
* KiteRunner -- content discovery & API probing tool: https://github.com/assetnote/kiterunner
 +
* Vulnerable Adversely Programmed Interface (vAPI): https://www.postman.com/roottusk/workspace/vapi/overview | [https://github.com/roottusk/vapi SRC] (sample set of APIs that mimic all the "[https://owasp.org/www-project-api-security/ OWASP Top 10 - API Security]" issues to perform PenTest/Security exercises against)
 +
* API Testing Checklist: https://hackanythingfor.blogspot.com/2020/07/api-testing-checklist.html
 +
<ref>Introducing vAPI – an open source lab environment to learn about API security: https://portswigger.net/daily-swig/introducing-vapi-an-open-source-lab-environment-to-learn-about-api-security</ref>
 +
<ref>Go Fuzz Yourself – How to Find More Vulnerabilities in APIs Through Fuzzing: https://labs.detectify.com/2021/08/31/go-fuzz-yourself-how-to-find-more-vulnerabilities-in-apis-through-fuzzing-whitepaper-download/</ref>
 +
<ref>Save API Costs With "Data-Centric Security": https://hackernoon.com/save-api-costs-with-data-centric-security</ref>
 +
<ref>More Simple = Less API Attack Vectors: https://securityboulevard.com/2022/01/more-simple-less-api-attack-vectors/</ref>
 +
<ref>OWASP Juice Shop: https://owasp.org/www-project-juice-shop/</ref>
 +
<ref>How to Simplify Your API to Narrow Attack Vectors: https://www.threatx.com/blog/api-attack-vectors-how-to-narrow-reduce/</ref>
 +
<ref>Intercepting HTTPS traffic with Burp Suite: https://resources.infosecinstitute.com/topic/intercepting-https-traffic-with-burp-suite/</ref>
 +
<ref>API Security Testing With Postman and OWASP Zap: https://thetesttherapist.com/2022/02/13/api-security-testing-with-postman-and-owasp-zap/</ref>
 +
<ref>Hacking and reviewing Elgato Key Light API with Postman: https://apihandyman.io/hacking-elgato-key-light-with-postman/</ref>
 +
 +
== Tools ==
 +
 +
* '''OpenAPI: https://openapis.org/''' (project & framework to create open specification for APIs, SDK generators, Documentors, etc based on [http://swagger.io/ Swagger]... which remains as a vendor-specific reference implementation)
 +
* Swagger: http://swagger.io/ (API documentation/design based on YAML) | [http://editor.swagger.io/#/ EDITOR] | [https://inspector.swagger.io/builder INSPECTOR]
 +
* Postman - API dev tool: https://www.getpostman.com/<ref>How to Use Postman to Manage and Execute Your APIs: http://dzone.com/articles/how-to-use-postman-to-manage-and-execute-your-apis</ref><ref>Cisco DevNet uses Postman to grow their developer community: http://blog.getpostman.com/2018/05/18/cisco-devnet-uses-postman-to-grow-their-developer-community/</ref>
 +
* AsciiDoctor: http://asciidoctor.org/ (plain Text to HTML)
 +
* Rapido - A rest API specification language: https://github.com/d-plaindoux/rapido <ref>Rapido - A Sketching Tool for Web API Designers (WHITEPAPER): http://www.www2015.it/documents/proceedings/companion/p1509.pdf</ref><ref>Sketching Web APIs: http://www.slideshare.net/ronniemitra/sketching-web-apis</ref>
 +
* API Builder: https://www.apibuilder.io/ (commonly referred to as "GitHub for APIs", storngest option for JSON-RPC)
 +
* '''Burp Suite: https://portswigger.net/burp'''<ref>[[wikipedia: Burp suite]]</ref><ref>AuthMatrix extension v0.8.1 for BurpSuite: https://github.com/SecurityInnovation/AuthMatrix</ref>
 +
* Fuzz Faster U Fool (FFUF) tool: https://github.com/ffuf/ffuf (written in Go)
 +
 +
* BestBuy - API Query Builder v2.0: https://bestbuyapis.github.io/bby-query-builder/#/productSearch | [https://bestbuyapis.github.io/api-documentation/#overview DOCS]<ref>'''BestBuy API - Getting Started guide: https://developer.bestbuy.com/documentation/getting-started'''</ref><ref>Best Buy API - NodeJS SDK: http://github.com/BestBuyAPIs/bestbuy-sdk-js</ref><ref>Former BestBuy BBYopen - Developer API console: http://web.archive.org/web/20130309114440/https://bbyopen.com/developer-tools/api-console</ref>
 +
* Amazon Product API sandbox: http://associates-amazon.s3.amazonaws.com/signed-requests/helper/index.html (now called "signed requests helper")<ref>Amazon Dev Tools - Signed Request Helper: https://aws.amazon.com/developertools/351</ref>
 +
* Itacct API test tool: http://developer.intacct.com/wiki/web-services-api-test-tool-reference
 +
* Brightcove API test tool: http://opensource.brightcove.com/tool/api-test-tool<ref>Source Code for Brightcove API test tool: https://github.com/BrightcoveOS/API-Test-Tool</ref>
 +
* OpenOffice - C library API test tool: https://www.openoffice.org/udk/common/man/tasks/apitests.html
 +
* fuzz-lightyear: https://github.com/Yelp/fuzz-lightyear
 +
 +
 +
=== API Management ===
 +
 +
* '''SwaggerHub: https://swaggerhub.com/''' (cloud-based host for OpenAPI defined API management, SDK code generation & stubs/mocking, aka Swagger)
 +
* '''POSTman: https://www.getpostman.com/''' (competing open source solution that forced Swagger team to release their tools under [OpenAPI spec])
 +
* Mashery: http://developer.mashery.com/apis (the original SaaS-based API directory & management/pay-for-use tool)<ref>Introducing Mashery: http://mashery.mashery.com/docs/Provider</ref>
 +
* AnyPoint: https://anypoint.mulesoft.com/apiplatform/ (API directory & management/pay-for-use tool, by leading [[ESB]] provider MuleSoft)
 +
* 3Scale: https://www.3scale.net/ (SaaS API management/pay-for-use, with tie-ins to Performance Management & Automated Testing tools)
 +
* APIgee: http://apigee.com/about/products/api-management (API directory & management/pay-for-use tool with great on-premise support option, not just cloud)
 +
* '''Apiary: https://apiary.io/''' (powerful API design stack, built for developers)<ref>How Apiary works: https://apiary.io/how-it-works</ref> (work together to quickly design, prototype, document and test APIs)
 +
* Mashape: https://www.mashape.com/ (similar to the above but focused on large datasets not Microservices/APIs)
 +
* GetKong: http://getkong.org/ (open-source API management platform, aims to deliver high performance & reliability)
 +
<ref>10 Ways API Management Improves Product Development:: https://www.mulesoft.com/sites/default/files/resource-assets/10%20Ways%20API%20Management%20Improves%20Product%20Development.pdf</ref>
 +
 +
==== SoapUI ====
 +
 +
See: [[SoapUI]]
 +
 +
===== ServiceV =====
 +
 +
See: [[Testing#ServiceV | ServiceV]]
 +
 +
 +
==== Postman ====
 +
 +
<ref>Postman Collection for Salesforce - Mock Servers & Code Snippets: https://dzone.com/articles/postman-collection-for-salesforce-mock-servers-and</ref>
 +
 +
== Resources ==
 +
 +
* '''Programmable Web - API Directory: http://www.programmableweb.com/apis/directory'''
 +
* API Hub: http://www.apihub.com (formerly by [[Mule]], now discontinued)<ref>Announcing Mule API Hub: http://blogs.mulesoft.com/dev/api-dev/introducing-apihub/</ref>
 +
* Full Web 2.0 API List: http://techmagazine.ws/full-web-20-api-list
 +
* WSO2 -- Reference Architecture for Agility: https://wso2.com/wso2_resources/wso2-reference-architecture-for-agility-version-0-9.pdf
 +
* '''API Style Book: http://apistylebook.com/'''
 +
* Developer Support Handbook: http://developer-support-handbook.appspot.com (API-focused dev resource)
 +
* Documenting APIs -- A guide/course for technical writers: http://idratherbewriting.com/learnapidoc/
 +
* '''API Business Models''': http://blog.programmableweb.com/2011/05/25/api-business-models-then-and-now/
 +
* API Insecurity -- The Lurking Threat In Your Software: https://go.forrester.com/blogs/the-power-and-the-peril-of-apis/ | [https://www.forrester.com/report/API+Insecurity+The+Lurking+Threat+In+Your+Software/-/E-RES142080?objectid=RES142080 2020 REPORT]
 +
<ref>'''API Tokens -- A Tedious Survey: https://fly.io/blog/api-tokens-a-tedious-survey/'''</ref>
 +
<ref> Checklist for API Verification: https://dzone.com/articles/checklist-for-api-verification</ref>
 +
<ref>10 API security guidelines and best practices: https://searchapparchitecture.techtarget.com/tip/10-API-security-guidelines-and-best-practices</ref>
 +
<ref>The 10 REST Commandments: https://treblle.com/blog/the-10-rest-commandments</ref>
 +
<ref>Using APIs With PHP? Here Are Your Classes: http://jeez.eu/2009/11/23/using-apis-with-php-here-are-your-classes/</ref>
 +
<ref>Developer Experience (BLOG): https://web.archive.org/web/20180831161730/http://developerexperience.org/day/2012/05/01</ref>
 +
<ref>Two Breeds of API -- API Products .vs. API Solutions: http://api-as-a-product.com/articles/digital-transformation-api-product/</ref>
 +
 +
=== EXAMPLES ===
 +
 +
* '''BC$ MobileTV API - EXAMPLE API doc/implementation: http://bcmoney-mobiletv.com/pages/api.html'''
 +
* BC$ Wiki API: http://bcmoney-mobiletv.com/blog/2014/09/13/creating-a-w3c-widget-with-the-wikipedia-api | [http://wiki.bcmoney-mobiletv.com/api.php?action=query&titles=BC$&prop=revisions&rvprop=content&format=json&formatversion=2 EXAMPLE] (this wiki itself, powered by MediaWiki, comes with a built-in API)
 +
* Tesla Model S Car - unofficial REST API: http://docs.timdorr.apiary.io (see "Myth of the 'Private API'" article below)
 +
* Star Wars API: http://swapi.co (a good toy/example API for testing with)
 +
* Star Trek API: http://stapi.co
 +
* NASA API: https://api.nasa.gov/
 +
* Giphy "animated GIF" search: https://developers.giphy.com/docs/api/ (animations in GIF/WEBP/MP4)
 +
* OpenLibrary: https://openlibrary.org/ | [https://openlibrary.org/developers/api API]
 +
* Favourite Quote of the Day API: https://favqs.com/api/ | [https://favqs.com/api/qotd EXAMPLE]
 +
* OpenTrivia Database (OpenTDB): https://opentdb.com/ | [https://opentdb.com/api_config.php API] | [https://opentdb.com/api.php?amount=1 DEMO]
 +
* TheMealDB: https://www.themealdb.com | [https://www.themealdb.com/api.php API]
 +
* Edamam Food Analysis APIs: https://developer.edamam.com//#registrationModal| [https://developer.edamam.com/edamam-nutrition-api Nutrition API] | [https://developer.edamam.com/edamam-nutrition-api-demo DEMO]
 +
* ChuckNorris jokes API: https://api.chucknorris.io/jokes/random
 +
* I Can Haz Dad Jokes API: https://icanhazdadjoke.com/api
 +
* Evil Insult API: https://evilinsult.com/generate_insult.php?lang=en&type=json
 +
 +
 +
=== JavaScript ===
 +
 +
'''JavaScript''' '''API'''s (sometimes called [[JSON]] [[API]]s or [[JSONp]] [[API]]s) require only a standard &lt;script&gt; tag to be added to a webpage in order to expose their functionality. For example:
 +
<pre>
 +
<script type="text/javascript" src="http://www.somesite.com/somejavascript.js"></script>
 +
</pre>
 +
would expose the functionalities of the ''somejavascript API'' that belongs to ''somesite.com''
  
 
* Passing JSON message across servers (JavaScript API): http://ajaxpatterns.org/JSON_Message
 
* Passing JSON message across servers (JavaScript API): http://ajaxpatterns.org/JSON_Message
 +
* On-Demand JavaScript: http://ajaxpatterns.org/On-Demand_Javascript
 +
* On-Demand Cross-Site Scripting: http://ecmanaut.blogspot.com/2005/11/on-demand-cross-site-javascript.html
 +
* Cross-Domain Proxy: http://ajaxpatterns.org/Cross-Domain_Proxy
 +
 +
=== Java ===
 +
 +
Java has strong support for intra-application and inter-application integration and interaction via making publically callable methods so that other programs can reuse application logic and methods.
 +
 +
* Java APIs: http://java.sun.com/reference/api/
 +
* DayLife API -- A Simple Java Client: http://developer.daylife.com/simple-java-client
 +
 +
=== C ===
 +
 +
The most widespread APIs in use today though, are probably the C APIs available for Unix and ported to other systems. These make it possible to do a number of complex tasks using a much smaller amount of code than if every set of logic had to be programmed manually.
 +
 +
* C Library reference: http://www.acm.uiuc.edu/webmonkeys/book/c_guide/index2.html
 +
* Unix API - System Interface guide: http://www.unix.org/version4/GS5_APIs.pdf
 +
 +
 +
== Tutorials ==
 +
 +
* '''Create Your Own Custom API: http://www.codewalkers.com/c/a/Miscellaneous/Create-Your-Own-Custom-API/'''
 +
* How To Get Live Sports Scores: http://www.sinfuliphone.com/showthread.php?t=32261
 +
* Simple API Writing, Part I: http://www.v-nessa.net/2009/02/09/simple-api-writing-part-i
 +
* How to write API documentation: http://docs.jquery.com/How_to_write_API_documentation
 +
* A Coder’s Guide to Writing API Documentation: http://msdn.microsoft.com/en-us/magazine/gg309172.aspx
 +
* Using the eBay API Test Tool: http://www.ebaypartnernetworkblog.com/en/2011/08/using-the-api-test-tool/
 +
* The Myth of the Private API - Fundamental Interconnectedness of Things: http://programming.oreilly.com/2013/09/the-myth-of-the-private-api.html
 +
* Using SOAP with WS-Security: http://docs.aws.amazon.com/AWSECommerceService/latest/DG/WSSecurity.html
 +
* Sketching API Connections: http://www.codingthearchitecture.com/2014/10/28/sketching_api_connections.html
 +
* How to design an API - best practises, concepts, technical aspects: http://piwik.org/blog/2008/01/how-to-design-an-api-best-practises-concepts-technical-aspects/
 +
* Best Practices for Architecting a Pragmatic Web API: http://www.slideshare.net/mario_cardinal/best-practices-for-designing-pragmatic-restful-api
 +
* API Development -- Design-First or Code-First?: http://dzone.com/articles/design-first-or-code-first-whats-the-best-approach
 +
* Designing a Usable, Flexible, Long-Lasting API: https://dzone.com/articles/designing-a-usable-flexible-long-lasting-api
 +
* REST API Design - Resource Modeling: https://www.thoughtworks.com/insights/blog/rest-api-design-resource-modeling<ref>Don’t Use CRUD Styled APIs, Consider Intent-Based Rest APIs: https://betterprogramming.pub/intent-based-rest-apis-or-an-alternative-to-crud-based-rest-apis-1815599db60a</ref>
 +
* If the Backend API Returns 100,000 Records at One Time, How Should We Handle it in the Frontend?: https://medium.com/frontend-canteen/if-the-backend-api-returns-100-000-records-at-one-time-how-should-we-handle-it-in-the-frontend-fab21218fe2
 +
 +
* Using API Gateways to Facilitate Your Transition from Monolith to Microservices: https://itnext.io/using-api-gateways-to-facilitate-your-transition-from-monolith-to-microservices-c08fe3489237
 +
* The Role of API Gateways in API Security: https://dzone.com/articles/the-role-of-api-gateways-in-api-security<ref>Design patterns for Microservices: https://dzone.com/articles/design-patterns-for-microservices</ref><ref>API Management of comparative views of "real-world" design: https://dzone.com/guides/api-management-comparative-views-of-real-world-des</ref>
 +
* Securing REST APIs With Client Certificates: https://dzone.com/articles/securing-rest-apis-with-client-certificates<ref>Securing a REST Service: https://dzone.com/articles/securing-a-rest-service</ref>
 +
* Spring Boot and Swagger - Documenting RESTful Services: https://dzone.com/articles/spring-boot-and-swagger-documenting-restful-servic<ref>Swagger Generation With Spring Boot: https://dzone.com/articles/swagger-generation-with-spring-boot</ref><ref>Versioning RESTful Services With Spring Boot: https://dzone.com/articles/versioning-restful-services-with-spring-boot</ref>
 +
* Functional API Testing -- Auto-Generation, Execution and Reporting (with BlazeMeter/JMeter): http://info.blazemeter.com/thank-you-functional-api-testing-autogeneration-execution-reporting-1
 +
* API Response Tracking With StreamSets, Elasticsearch, and Kibana : https://dzone.com/articles/api-response-tracking-with-streamsets-elasticsearc
 +
 +
* Fast Web Fuzzer (FFUF) tutorial: https://kalilinuxtutorials.com/ffuf-fast-web-fuzzer-written-in-go/<ref>Ffuf - A fast web fuzzer written in Go: https://hakin9.org/ffuf-a-fast-web-fuzzer-written-in-go/</ref><ref>FFUF (Fuzz Faster U Fool) – An Open Source Fast Web Fuzzing ToolAttribution link: https://latesthackingnews.com/2019/12/08/ffuf-fuzz-faster-u-fool-an-open-source-fast-web-fuzzing-tool</ref>
 +
* ffuf on Steroids: https://securityjunky.com/ffuf-on-steroids/
 +
* A visual history of web API architecture: https://itnext.io/a-visual-history-of-web-api-architecture-c36044df2ac7
 +
* Build a Java REST API (with OICD/JWT auth) using Quarkus: https://dzone.com/articles/build-a-java-rest-api-with-quarkus
 +
* How to Improve an API Ecosystem with Mapping: https://blog.postman.com/how-to-improve-api-ecosystem-with-mapping/ (includes an interesting take on "Top 10 strategic issues to address in any API")
 +
 +
 +
== External Links ==
 +
 +
* [[wikipedia: Application programming interface]]
 +
* [[wikipedia: API management]]
 +
* In layman's terms, what is an API?: http://www.quora.com/In-laymans-terms-what-is-an-API-1
 +
* 1 in 5 APIs Say "Bye XML": http://blog.programmableweb.com/2011/05/25/1-in-5-apis-say-bye-xml/
 +
* 4,000 Web APIs - What’s Hot and What’s Next?: http://blog.programmableweb.com/2011/10/03/4000-web-apis-whats-hot-and-whats-next/
 +
* Who Belongs to the API Billionaires Club?: http://blog.programmableweb.com/2011/05/25/who-belongs-to-the-api-billionaires-club/
 +
* 40 Video APIs on ProgrammableWeb: http://blog.programmableweb.com/2008/08/07/40-video-apis-on-programmableweb/
 +
* '''42 Different APIs Used in 7 Days - From MTV to NPR''': http://blog.programmableweb.com/2009/05/16/42-different-apis-used-in-7-days-from-mtv-to-npr/
 +
* 9 Places to Use APIs Without Coding: http://blog.programmableweb.com/2007/03/26/9-places-to-use-apis-without-coding/
 +
* API -- web services and today's business enabler: http://vzaar.com/blog/2009/11/api-web-service-and-todays-business-enabler
 +
* Accidental APIs - NFL edition: http://postneo.com/2007/09/09/accidental-apis-nfl-edition
 +
* Ask HN -- How to legally obtain sports data for commercial use?: http://news.ycombinator.com/item?id=1791588
 +
* API Half-lives: http://www.gabrielweinberg.com/blog/2011/11/api-half-lives.html
 +
* Using external APIs to improve search: http://www.gabrielweinberg.com/blog/2011/01/using-external-apis-to-improve-search.html
 +
* Online services our startup subscribes to: http://www.gabrielweinberg.com/blog/2011/11/online-services-our-startup-subscribes-to.html
 +
* Beginner’s guide for journalists who want to understand API documentation: http://www.poynter.org/how-tos/digital-strategies/138211/beginners-guide-for-journalists-who-want-to-understand-api-documentation/
 +
* Survey on SDK Documentation: http://blcommunity.prestwood.com/ASPSuite/KB/document_view.asp?qid=102002
 +
* UN Data API: http://www.programmableweb.com/api/un-data#utm_source=email
 +
* Mobile Java Push API: http://www.programmableweb.com/api/mobile-java-push#utm_source=email
 +
* Spot2Be: http://spot2.be/api
 +
* Getting API-Centric and Moving Beyond Integration: http://java.dzone.com/articles/getting-api-centric-and-moving
 +
* Backend For Front-end (BFF) @ SoundCloud: https://www.thoughtworks.com/insights/blog/bff-soundcloud
 +
* API Auth Size Small: https://dzone.com/articles/api-authentication-size-small
 +
* Your API Versioning is Wrong: http://java.dzone.com/articles/your-api-versioning-wrong
 +
* How to Calculate the Worth of an API (INFOGRAPHIC): http://blog.smartbear.com/wp-content/uploads/2015/11/How-Much-is-Your-API-Worth_Infographic.png
 +
* The Five Axioms of the API Economy: http://java.dzone.com/articles/organizations-must-consume
 +
* The API Lifecycle: http://dzone.com/articles/the-api-life-cycle
 +
* '''Adopting an API-First Approach with OpenAPI 3.0: https://swagger.io/api-first-approach-with-openapi-training/'''
 +
* Design patterns for modern web APIs: https://blog.feathersjs.com/design-patterns-for-modern-web-apis-1f046635215
 +
* TIBCO Software to Acquire API Management Leader Mashery: https://www.tibco.com/press-releases/2015/tibco-software-acquire-api-management-leader-mashery
 +
* Red Hat to Acquire API Management Leader 3scale -- Accelerates digital transformation with API driven hybrid-cloud architectures: https://www.redhat.com/en/about/press-releases/red-hat-acquire-api-management-leader-3scale
 +
* Red Hat to Acquire API Management Leader 3scale: https://www.3scale.net/2016/06/red-hat-to-acquire-api-management-leader-3scale/
 +
* Red Hat to Acquire API Management Leader 3scale: https://www.businesswire.com/news/home/20160622006354/en/Red-Hat-Acquire-API-Management-Leader-3scale
 +
* Google to acquire Apigee: https://cloud.google.com/blog/products/gcp/google-to-acquire-apigee
 +
* Google will acquire Apigee for $625 million: https://techcrunch.com/2016/09/08/google-will-acquire-apigee-for-625-million/
 +
* Google to acquire API management provider Apigee for $625 million: https://venturebeat.com/2016/09/08/google-to-acquire-api-management-provider-apigee-for-625m/
 +
* Apigee has Joined Google: https://apigee.com/about/apigee-has-joined-google
 +
* MuleSoft Buys "Programmable Web" From Alcatel-Lucent, Marking The Telco’s Departure From A Core API Community: https://techcrunch.com/2013/04/23/mulesoft-buys-programmable-web-from-alcatel-lucent-marking-the-telcos-departure-from-a-core-api-community/
 +
* Salesforce Signs Definitive Agreement to Acquire MuleSoft: https://www.mulesoft.com/press-center/salesforce-acquisition
 +
* Salesforce Signs Definitive Agreement to Acquire MuleSoft: https://www.salesforce.com/company/news-press/press-releases/2018/03/180320/
 +
* Salesforce agrees to buy MuleSoft in $6.5 billion deal: https://www.cnbc.com/2018/03/20/salesforce-agrees-to-buy-mulesoft-in-6-point-5-billion-deal.html
 +
* Salesforce Completes Acquisition of MuleSoft: https://www.salesforce.com/company/news-press/press-releases/2018/05/180502/
 +
* Salesforce Just Bought MuleSoft, an IT Company That Went Public Last Year: fortune.com/2018/03/20/salesforce-mulesoft-acquisition-deal/
 +
* The Exploding Endpoint Problem -- Why everything may become an API: https://thenewstack.io/the-exploding-endpoint-problem-why-everything-must-become-an-api/
 +
* Reverse engineering an API: https://medium.com/postman-engineering/reverse-engineering-an-api-403fae885303
 +
* How To Make Swagger Codegen Work For Your Team: https://medium.com/capital-one-tech/how-to-make-swagger-codegen-work-for-your-team-32194f7d97e4
 +
* API Is Dead – Long Live the APIs: https://dzone.com/articles/api-is-dead-long-live-the-apis (how the reign of REST APIs is declining and how the ecosystem is moving towards democracy)
 +
* 7 Apps You Can Definitely Build With These Free APIs: https://medium.com/madhash/7-apps-you-can-definitely-build-with-these-free-apis-6d30124527fc
 +
* Akamai Security Research - APIs Are Now Target of Choice for Cybercriminals Attacking Financial Services Organizations: https://www.akamai.com/newsroom/press-release/state-of-the-internet-security-financial-services-hostile-takeover-attempts (up to 75% of all Credential Abuse Attacks Targeted APIs )
 +
* Rapid proliferation of APIs opens up new security holes: https://www.scmagazine.com/analysis/application-security/rapid-proliferation-of-apis-opens-up-new-security-holes
 +
 +
 +
== References ==
 +
 +
<references />
 +
 +
== See Also ==
 +
 +
[[Web Services]] | [[ESB]] | [[Microservices]] | [[API Gateway]] | [[Discovery]] | [[Security]]

Latest revision as of 17:22, 22 July 2022

An Application Programming Interface (or commonly abbreviated as API), is a mechanism for exposing the core functionality of an application (such as a client or desktop program, web site or web service) to an external application (of any of the previously mentioned types).

Since the days of Web 2.0, an API is seen as a crucial element to any Web Application or Web Service. In general though, APIs are crucial parts of an application design and implementation strategy. They ensure the involvement of third-parties and outside developers in the products and services you create, and they can also help to breed innovation.


Specifications

OpenAPI

Swagger (OpenAPIv2) to OpenAPIv3

OpenAPI is an OSS specification and associated OSS (with commercial/enterprise-grade supported options) set of tools for Designing, Documenting, Sharing, Inspecting/Analyzing, Stubbing/Mocking, Validating, Comparing and/or Serving API endpoints and their associated Auth mechanisms, Headers, request/response pair examples, actual payloads, error messsages/conditions around, etc. It is seen as the cross-platform (SOAP, REST, REST-JSON/XML, XML-RPC, etc) Web Service documentation alternative to the more protocol-specific WSDL (SOAP) & WADL (REST) specifications.

For more, see: OpenAPI

[2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12]


AsyncAPI

Event Driven Architecture (EDA) focused API specification format that supports special documentation for push, WebHooks, messaging, long-polling, etc...


APIs.json

APIs.json is a machine readable approach that API providers can use to describe their API operations, similar to how web sites are described using the Sitemap.xml spec but for listing/discovery of Web Services and their operations.

[13]


RAML

Rest API Markup Language (RAML) is Mulesoft's alternative to Swagger/OpenAPI.


WADL

Web Application Description Language (WADL).

For more, see: WADL


Types of APIs

Native/Library

A Native or Library API is typically an operating system-specific or programming language-specific one which provides access to certain data, methods/functionality, or commonly required utilities.

Web Services

Web Services are remotely callable functionality residing in another application.

XML-RPC

XML-RPC was one of the first examples of a Web Service format for remotely exchanging data, specifying the format as a strict set of XML "methods" and.

RequestResponse
 <?xml version="1.0" encoding="utf-8"?>
 <methodCall>
    <methodName>myService.sum</methodName>
    <params>
       <param>
          <value><int>17</int></value>
       </param>	 
       <param>
          <value><int>13</int></value>
       </param>
    </params>
 </methodCall>
 <methodResponse>
    <params>
       <param>
          <value><int>30</int></value>
       </param>
    </params>
 </methodResponse>


SOAP

SOAP is a contract-based (contract-first or contract-last, but contract nonetheless) approach to cross-application communication.

RequestResponse

GET http://www.mysite.com/myService?wsdl

--> Lookup required Web Service "operation"

POST http://www.mysite.com/getAddition

 <?xml version="1.0" encoding="utf-8"A?>
 <soap:Envelope
    xmlns:soap="http://www.w3.org/2003/05/soap-envelope/"
    soap:encodingStyle="http://www.w3.org/2003/05/soap-encoding">
   <soap:Header>
      <To xmlns="http://www.w3.org/2005/08/addressing">http://www.mysite.com:8181/Math/</To>
      <Action xmlns="http://www.w3.org/2005/08/addressing">tns:getAdditon_Request</Action>
      <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
         <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
      </ReplyTo>
   </soap:Header>
   <soap:Body>
   <Math:getAddition>
      <Math:number1>17</Math:number1>
      <Math:number2>13</Math:number2>
   </Math:getAddition>
   </soap:Body>
 </soap:Envelope> 
 <?xml version="1.0" encoding="utf-8"A?>
 <soap:Envelope
    xmlns:soap="http://www.w3.org/2003/05/soap-envelope/"
    soap:encodingStyle="http://www.w3.org/2003/05/soap-encoding">
   <soap:Header>
       <ResponseHeader xmlns="https://www.mysite.com/apis/Math/v2017-08-17">
         <requestId>123456789</requestId>
         <responseTime>1350</responseTime>
       </ResponseHeader>
   </soap:Header>
   <soap:Body>
     <Math:getAddition>
        <Math:value>30</Math:value>
     </Math:getAddition>
   </soap:Body>
 </soap:Envelope>
  • For more, see section: SOAP

REST

REST is a direct access-based approach to cross-application communication, where the API's documentation is typically relied upon heavily to describe how to access it. When REST is done properly though, using a RESTful approach, the API becomes mostly self-documenting, instead relying on the Create-Read-Update-Delete (CRUD) to HTTP POST-GET-PUT-DELETE relationship to describe how to access the Web Service and interact with its data.

RequestResponse
GET http://www.mysite.com/myService?number=17&number2=13
 {
   "value" : "30"
 }

Although, in reality a REST endpoint can be as complex or simplistic to call as you want, to be truly "RESTful" it should follow certain conventions. The simplistic example above of passing two numbers as input parameters would likely be highly criticized by RESTful WS purist, perhaps to look more like this:

GET http://www.mysite.com/add/{input1}/{input2}

Others still may argue that since it is "changing a resource" (i.e. doing addition with the two inputs its given) it should be a POST request without any parameters or additional paths beyond and the inputs should be passed in the HTTP message body:

POST http://www.mysite.com/add
BODY input1=17&input2=13

There is no right or wrong answer, only opinion, as the REST approach is far less structured/defined and more open to interpretation.

  • For more, see section: REST


API Design

5 essentials for a great API

  1. Provide a valuable service
  2. Have a plan and a business model
  3. Make it simple and flexible
  4. It should be managed and measured
  5. Provide great developer support (Docs, API Console, Example Client Implementations/SDKs, Sandbox)[15]

API Keys & Security

[17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28]

[29] [30] [31] [32] [33] [34] [35] [36] [37] [38] [39] [40] [41] [42] [43] [44] [45] [46] [47] [48] [49] [50] [51] [52] [53] [54] [55] [56] [57] [58] [59]


API Security Testing

[60] [61] [62] [63] [64] [65] [66] [67] [68]

Tools


API Management

[82]

SoapUI

See: SoapUI

ServiceV

See: ServiceV


Postman

[83]

Resources

[85] [86] [87] [88] [89] [90] [91]

EXAMPLES


JavaScript

JavaScript APIs (sometimes called JSON APIs or JSONp APIs) require only a standard <script> tag to be added to a webpage in order to expose their functionality. For example:

 <script type="text/javascript" src="http://www.somesite.com/somejavascript.js"></script>

would expose the functionalities of the somejavascript API that belongs to somesite.com

Java

Java has strong support for intra-application and inter-application integration and interaction via making publically callable methods so that other programs can reuse application logic and methods.

C

The most widespread APIs in use today though, are probably the C APIs available for Unix and ported to other systems. These make it possible to do a number of complex tasks using a much smaller amount of code than if every set of logic had to be programmed manually.


Tutorials


External Links


References

  1. What is OpenAPI?: https://swagger.io/docs/specification/about/
  2. The OpenAPI Specification Version 3.0 Highlights: https://apievangelist.com/2017/01/25/the-openapi-specification-version-30-highlights/
  3. Open API Initiative Announces Release of the OpenAPI Spec v3 Implementer’s Draft: https://www.openapis.org/blog/2017/03/01/openapi-spec-3-implementers-draft-released
  4. OpenAPI 3.0, And What It Means for the Future of Swagger (WEBINAR): https://swaggerhub.com/blog/api-resources/openapi-3-0-video-tutorial/ | SLIDES
  5. A Visual Guide to What's New in Swagger 3.0: https://blog.readme.io/an-example-filled-guide-to-swagger-3-2/
  6. Comparing OpenAPI/Swagger 2.0 and 3.0.0-rc1: https://dev.to/mikeralphson/comparing-openapiswagger-20-and-300-rc1
  7. What’s New in OpenAPI 3.0: http://nordicapis.com/whats-new-in-openapi-3-0/
  8. Looking to Create OpenAPI 3.0 For Your API? Swagger Inspector Has Your Back: https://swagger.io/blog/convert-oas-3-swagger-inspector/#sendgrid_mc_email_subscribe
  9. Migrating to OpenAPI 3.0 -- How to Convert Your Existing APIs with Swagger Tools: https://swagger.io/resources/webinars/convert-api-to-oas-3-with-swagger-tools/
  10. Tutorial - Converting your Swagger 2.0 API Definition to OpenAPI 3.0: https://blog.runscope.com/posts/tutorial-upgrading-swagger-2-api-definition-to-openapi-3
  11. Collaborating Across the API Lifecycle -- How to Setup an API Workflow that Scales: https://swagger.io/resources/webinars/collaborating-across-the-api-lifecycle/
  12. How about OpenAPI descriptions and Swagger UI in your Java REST API?: https://tryingthings.wordpress.com/2020/05/20/how-about-openapi-descriptions-and-swagger-ui-in-your-java-rest-api/
  13. API Discovery Is for Internal or External Services: https://dzone.com/articles/api-discovery-is-for-internal-or-external-services
  14. wikipedia: RAML (software)
  15. Is the API Landscape Broken?: http://www.wired.com/insights/2013/01/is-the-api-landscape-broken/
  16. Demystifying the "OWASP API security top 10": https://media.bitpipe.com/io_15x/io_157878/item_2411117/cqnc-ebook-owasp.pdf
  17. Predicting the Next OWASP API Security Top 10: https://threatpost.com/owasp-api-security-top-10/175961/
  18. The 2021 Guide to API Security -- What You Need to Know: https://appsecengineer.com/hackerman-hub/2021-guide-api-security-what-you-need-know
  19. The state of API Security 2022 - global research comparison: https://www.cybersprint.com/blog/the-state-of-api-security-global-research-comparison
  20. API Security - The Complete Guide: https://brightsec.com/blog/api-security/
  21. So, Like, What is an API Key Really? And How Does it Provide Security?: https://hackernoon.com/so-like-what-is-an-api-key-really-and-how-does-it-provide-security
  22. Ownership Of The API Security Lifecycle Attribution link: https://latesthackingnews.com/2022/05/27/ownership-of-the-api-security-lifecycle/ (HINT: if its "everybody's" responsibility, its really "no one's"... have a single or primary/secondary owner, and inform/empower everyone else in the organization to contribute)
  23. More Simple = Less API Attack Vectors: https://securityboulevard.com/2022/01/more-simple-less-api-attack-vectors/
  24. Positive API Security Model, and Why You Need It!: https://42crunch.com/webinar-positive-api-security-model/
  25. completely ridiculous Application Programming Interface (crAPI): https://github.com/owasp/crapi | DOCS
  26. Why does API Security Need Special Attention?: https://economictimes.indiatimes.com/why-does-api-security-need-special-attention/articleshow/92053756.cms
  27. Microsoft's Recommendations to mitigate OWASP API Security Top 10 threats using API Management: https://docs.microsoft.com/en-us/azure/api-management/mitigate-owasp-api-threats
  28. API Security Checklist -- The Top 7 Requirements: https://www.indusface.com/blog/api-security-checklist-the-top-7-requirements/
  29. Awesome API Security: https://github.com/arainho/awesome-api-security
  30. Best practices for REST API security - Authentication and authorization: https://stackoverflow.blog/2021/10/06/best-practices-for-authentication-and-authorization-for-rest-apis/
  31. Collection of awesome API Security tools & resources: https://reconshell.com/api-security/
  32. API Sprawl a Looming Threat to Digital Economy: https://devops.com/api-sprawl-a-looming-threat-to-digital-economy/
  33. Benefits of Adopting Zero Trust for API Security: https://www.cm-alliance.com/cybersecurity-blog/benefits-of-adopting-zero-trust-for-api-security
  34. HTTP request smuggling: https://portswigger.net/web-security/request-smuggling
  35. Why API Keys are not enough: https://nordicapis.com/why-api-keys-are-not-enough/
  36. Best Practices for Storing / Protecting API Keys: https://developer.oregonstate.edu/faqs/best-practices-storing-protecting-api-keys
  37. Google Developers - API Key Best Practices: https://developers.google.com/maps/api-key-best-practices
  38. Google Developers - Guide to Using API Keys: https://cloud.google.com/docs/authentication/api-keys?hl=en&visit_id=636795263018130436-4272006704&rd=1
  39. Client-Side Storage options with HTML5: https://www.html5rocks.com/en/tutorials/offline/storage/
  40. Best Practices for Designing a Pragmatic RESTful API: https://www.vinaysahni.com/best-practices-for-a-pragmatic-restful-api
  41. Best practices for building secure API Keys: https://medium.freecodecamp.org/best-practices-for-building-api-keys-97c26eabfea9
  42. Best practices for securely storing API keys: https://medium.freecodecamp.org/how-to-securely-store-api-keys-4ff3ea19ebda
  43. Best practices for securely using API keys: https://support.google.com/googleapi/answer/6310037
  44. API Key Auth Provider (C#): http://docs.servicestack.net/api-key-authprovider#interoperable
  45. Reducing Risk of Credential Compromise @Netflix: https://www.infoq.com/presentations/netflix-infrastructure-security
  46. API Security -- Deep Dive into OAuth and OpenID Connect: https://nordicapis.com/api-security-oauth-openid-connect-depth/
  47. API Security -- The 4 Defenses of The API Stronghold: https://nordicapis.com/api-security-the-4-defenses-of-the-api-stronghold/
  48. Equipping Your API With The Right Armor: https://nordicapis.com/api-security-equipping-your-api-with-the-right-armor/
  49. Techniques and Technologies to Increase API Security: https://nordicapis.com/building-a-secure-api/
  50. Application Security Tools Are Not up to the Job of API Security: https://thenewstack.io/application-security-tools-are-not-up-to-the-job-of-api-security/
  51. A Case Study of API Vulnerabilities: https://monke.ie/api-vulns-casestudy/
  52. Google Cloud sees storm brewing over API security: https://www.theregister.com/2022/04/26/google_cloud_api/
  53. The API Security Maturity Model: https://curity.io/resources/learn/the-api-security-maturity-model/
  54. API Key Management with API Portal and Spring Cloud Gateway for Kubernetesh: ttps://tanzu.vmware.com/content/blog/api-key-management-api-portal-spring-cloud-gateway-for-kubernetes
  55. Akamai -- APIs - The Attack Surface That Connects Us All (WHITEPAPER): https://www.akamai.com/resources/state-of-the-internet/soti-security-api-the-attack-surface-that-connects-us-all
  56. API Security in Action (BOOK): https://www.manning.com/books/api-security-in-action
  57. The Danger of API Security Overconfidence - Four Takeaways from Radware’s 2022 State of API Security Survey: https://securityboulevard.com/2022/06/the-danger-of-api-security-overconfidence-four-takeaways-from-radwares-2022-state-of-api-security-survey/
  58. One in every 13 incidents blamed on API insecurity – report: https://portswigger.net/daily-swig/one-in-every-13-incidents-blamed-on-api-insecurity-report
  59. Poor API security may cost orgs up to $75B per year: https://venturebeat.com/2022/06/22/vulnerable-apis-75bn/ | REPORT
  60. Introducing vAPI – an open source lab environment to learn about API security: https://portswigger.net/daily-swig/introducing-vapi-an-open-source-lab-environment-to-learn-about-api-security
  61. Go Fuzz Yourself – How to Find More Vulnerabilities in APIs Through Fuzzing: https://labs.detectify.com/2021/08/31/go-fuzz-yourself-how-to-find-more-vulnerabilities-in-apis-through-fuzzing-whitepaper-download/
  62. Save API Costs With "Data-Centric Security": https://hackernoon.com/save-api-costs-with-data-centric-security
  63. More Simple = Less API Attack Vectors: https://securityboulevard.com/2022/01/more-simple-less-api-attack-vectors/
  64. OWASP Juice Shop: https://owasp.org/www-project-juice-shop/
  65. How to Simplify Your API to Narrow Attack Vectors: https://www.threatx.com/blog/api-attack-vectors-how-to-narrow-reduce/
  66. Intercepting HTTPS traffic with Burp Suite: https://resources.infosecinstitute.com/topic/intercepting-https-traffic-with-burp-suite/
  67. API Security Testing With Postman and OWASP Zap: https://thetesttherapist.com/2022/02/13/api-security-testing-with-postman-and-owasp-zap/
  68. Hacking and reviewing Elgato Key Light API with Postman: https://apihandyman.io/hacking-elgato-key-light-with-postman/
  69. How to Use Postman to Manage and Execute Your APIs: http://dzone.com/articles/how-to-use-postman-to-manage-and-execute-your-apis
  70. Cisco DevNet uses Postman to grow their developer community: http://blog.getpostman.com/2018/05/18/cisco-devnet-uses-postman-to-grow-their-developer-community/
  71. Rapido - A Sketching Tool for Web API Designers (WHITEPAPER): http://www.www2015.it/documents/proceedings/companion/p1509.pdf
  72. Sketching Web APIs: http://www.slideshare.net/ronniemitra/sketching-web-apis
  73. wikipedia: Burp suite
  74. AuthMatrix extension v0.8.1 for BurpSuite: https://github.com/SecurityInnovation/AuthMatrix
  75. BestBuy API - Getting Started guide: https://developer.bestbuy.com/documentation/getting-started
  76. Best Buy API - NodeJS SDK: http://github.com/BestBuyAPIs/bestbuy-sdk-js
  77. Former BestBuy BBYopen - Developer API console: http://web.archive.org/web/20130309114440/https://bbyopen.com/developer-tools/api-console
  78. Amazon Dev Tools - Signed Request Helper: https://aws.amazon.com/developertools/351
  79. Source Code for Brightcove API test tool: https://github.com/BrightcoveOS/API-Test-Tool
  80. Introducing Mashery: http://mashery.mashery.com/docs/Provider
  81. How Apiary works: https://apiary.io/how-it-works
  82. 10 Ways API Management Improves Product Development:: https://www.mulesoft.com/sites/default/files/resource-assets/10%20Ways%20API%20Management%20Improves%20Product%20Development.pdf
  83. Postman Collection for Salesforce - Mock Servers & Code Snippets: https://dzone.com/articles/postman-collection-for-salesforce-mock-servers-and
  84. Announcing Mule API Hub: http://blogs.mulesoft.com/dev/api-dev/introducing-apihub/
  85. API Tokens -- A Tedious Survey: https://fly.io/blog/api-tokens-a-tedious-survey/
  86. Checklist for API Verification: https://dzone.com/articles/checklist-for-api-verification
  87. 10 API security guidelines and best practices: https://searchapparchitecture.techtarget.com/tip/10-API-security-guidelines-and-best-practices
  88. The 10 REST Commandments: https://treblle.com/blog/the-10-rest-commandments
  89. Using APIs With PHP? Here Are Your Classes: http://jeez.eu/2009/11/23/using-apis-with-php-here-are-your-classes/
  90. Developer Experience (BLOG): https://web.archive.org/web/20180831161730/http://developerexperience.org/day/2012/05/01
  91. Two Breeds of API -- API Products .vs. API Solutions: http://api-as-a-product.com/articles/digital-transformation-api-product/
  92. Don’t Use CRUD Styled APIs, Consider Intent-Based Rest APIs: https://betterprogramming.pub/intent-based-rest-apis-or-an-alternative-to-crud-based-rest-apis-1815599db60a
  93. Design patterns for Microservices: https://dzone.com/articles/design-patterns-for-microservices
  94. API Management of comparative views of "real-world" design: https://dzone.com/guides/api-management-comparative-views-of-real-world-des
  95. Securing a REST Service: https://dzone.com/articles/securing-a-rest-service
  96. Swagger Generation With Spring Boot: https://dzone.com/articles/swagger-generation-with-spring-boot
  97. Versioning RESTful Services With Spring Boot: https://dzone.com/articles/versioning-restful-services-with-spring-boot
  98. Ffuf - A fast web fuzzer written in Go: https://hakin9.org/ffuf-a-fast-web-fuzzer-written-in-go/
  99. FFUF (Fuzz Faster U Fool) – An Open Source Fast Web Fuzzing ToolAttribution link: https://latesthackingnews.com/2019/12/08/ffuf-fuzz-faster-u-fool-an-open-source-fast-web-fuzzing-tool

See Also

Web Services | ESB | Microservices | API Gateway | Discovery | Security